123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284 |
- /**
- * A Javascript implementation of AES Cipher Suites for TLS.
- *
- * @author Dave Longley
- *
- * Copyright (c) 2009-2015 Digital Bazaar, Inc.
- *
- */
- var forge = require('./forge');
- require('./aes');
- require('./tls');
- var tls = module.exports = forge.tls;
- /**
- * Supported cipher suites.
- */
- tls.CipherSuites['TLS_RSA_WITH_AES_128_CBC_SHA'] = {
- id: [0x00,0x2f],
- name: 'TLS_RSA_WITH_AES_128_CBC_SHA',
- initSecurityParameters: function(sp) {
- sp.bulk_cipher_algorithm = tls.BulkCipherAlgorithm.aes;
- sp.cipher_type = tls.CipherType.block;
- sp.enc_key_length = 16;
- sp.block_length = 16;
- sp.fixed_iv_length = 16;
- sp.record_iv_length = 16;
- sp.mac_algorithm = tls.MACAlgorithm.hmac_sha1;
- sp.mac_length = 20;
- sp.mac_key_length = 20;
- },
- initConnectionState: initConnectionState
- };
- tls.CipherSuites['TLS_RSA_WITH_AES_256_CBC_SHA'] = {
- id: [0x00,0x35],
- name: 'TLS_RSA_WITH_AES_256_CBC_SHA',
- initSecurityParameters: function(sp) {
- sp.bulk_cipher_algorithm = tls.BulkCipherAlgorithm.aes;
- sp.cipher_type = tls.CipherType.block;
- sp.enc_key_length = 32;
- sp.block_length = 16;
- sp.fixed_iv_length = 16;
- sp.record_iv_length = 16;
- sp.mac_algorithm = tls.MACAlgorithm.hmac_sha1;
- sp.mac_length = 20;
- sp.mac_key_length = 20;
- },
- initConnectionState: initConnectionState
- };
- function initConnectionState(state, c, sp) {
- var client = (c.entity === forge.tls.ConnectionEnd.client);
- // cipher setup
- state.read.cipherState = {
- init: false,
- cipher: forge.cipher.createDecipher('AES-CBC', client ?
- sp.keys.server_write_key : sp.keys.client_write_key),
- iv: client ? sp.keys.server_write_IV : sp.keys.client_write_IV
- };
- state.write.cipherState = {
- init: false,
- cipher: forge.cipher.createCipher('AES-CBC', client ?
- sp.keys.client_write_key : sp.keys.server_write_key),
- iv: client ? sp.keys.client_write_IV : sp.keys.server_write_IV
- };
- state.read.cipherFunction = decrypt_aes_cbc_sha1;
- state.write.cipherFunction = encrypt_aes_cbc_sha1;
- // MAC setup
- state.read.macLength = state.write.macLength = sp.mac_length;
- state.read.macFunction = state.write.macFunction = tls.hmac_sha1;
- }
- /**
- * Encrypts the TLSCompressed record into a TLSCipherText record using AES
- * in CBC mode.
- *
- * @param record the TLSCompressed record to encrypt.
- * @param s the ConnectionState to use.
- *
- * @return true on success, false on failure.
- */
- function encrypt_aes_cbc_sha1(record, s) {
- var rval = false;
- // append MAC to fragment, update sequence number
- var mac = s.macFunction(s.macKey, s.sequenceNumber, record);
- record.fragment.putBytes(mac);
- s.updateSequenceNumber();
- // TLS 1.1+ use an explicit IV every time to protect against CBC attacks
- var iv;
- if(record.version.minor === tls.Versions.TLS_1_0.minor) {
- // use the pre-generated IV when initializing for TLS 1.0, otherwise use
- // the residue from the previous encryption
- iv = s.cipherState.init ? null : s.cipherState.iv;
- } else {
- iv = forge.random.getBytesSync(16);
- }
- s.cipherState.init = true;
- // start cipher
- var cipher = s.cipherState.cipher;
- cipher.start({iv: iv});
- // TLS 1.1+ write IV into output
- if(record.version.minor >= tls.Versions.TLS_1_1.minor) {
- cipher.output.putBytes(iv);
- }
- // do encryption (default padding is appropriate)
- cipher.update(record.fragment);
- if(cipher.finish(encrypt_aes_cbc_sha1_padding)) {
- // set record fragment to encrypted output
- record.fragment = cipher.output;
- record.length = record.fragment.length();
- rval = true;
- }
- return rval;
- }
- /**
- * Handles padding for aes_cbc_sha1 in encrypt mode.
- *
- * @param blockSize the block size.
- * @param input the input buffer.
- * @param decrypt true in decrypt mode, false in encrypt mode.
- *
- * @return true on success, false on failure.
- */
- function encrypt_aes_cbc_sha1_padding(blockSize, input, decrypt) {
- /* The encrypted data length (TLSCiphertext.length) is one more than the sum
- of SecurityParameters.block_length, TLSCompressed.length,
- SecurityParameters.mac_length, and padding_length.
- The padding may be any length up to 255 bytes long, as long as it results in
- the TLSCiphertext.length being an integral multiple of the block length.
- Lengths longer than necessary might be desirable to frustrate attacks on a
- protocol based on analysis of the lengths of exchanged messages. Each uint8
- in the padding data vector must be filled with the padding length value.
- The padding length should be such that the total size of the
- GenericBlockCipher structure is a multiple of the cipher's block length.
- Legal values range from zero to 255, inclusive. This length specifies the
- length of the padding field exclusive of the padding_length field itself.
- This is slightly different from PKCS#7 because the padding value is 1
- less than the actual number of padding bytes if you include the
- padding_length uint8 itself as a padding byte. */
- if(!decrypt) {
- // get the number of padding bytes required to reach the blockSize and
- // subtract 1 for the padding value (to make room for the padding_length
- // uint8)
- var padding = blockSize - (input.length() % blockSize);
- input.fillWithByte(padding - 1, padding);
- }
- return true;
- }
- /**
- * Handles padding for aes_cbc_sha1 in decrypt mode.
- *
- * @param blockSize the block size.
- * @param output the output buffer.
- * @param decrypt true in decrypt mode, false in encrypt mode.
- *
- * @return true on success, false on failure.
- */
- function decrypt_aes_cbc_sha1_padding(blockSize, output, decrypt) {
- var rval = true;
- if(decrypt) {
- /* The last byte in the output specifies the number of padding bytes not
- including itself. Each of the padding bytes has the same value as that
- last byte (known as the padding_length). Here we check all padding
- bytes to ensure they have the value of padding_length even if one of
- them is bad in order to ward-off timing attacks. */
- var len = output.length();
- var paddingLength = output.last();
- for(var i = len - 1 - paddingLength; i < len - 1; ++i) {
- rval = rval && (output.at(i) == paddingLength);
- }
- if(rval) {
- // trim off padding bytes and last padding length byte
- output.truncate(paddingLength + 1);
- }
- }
- return rval;
- }
- /**
- * Decrypts a TLSCipherText record into a TLSCompressed record using
- * AES in CBC mode.
- *
- * @param record the TLSCipherText record to decrypt.
- * @param s the ConnectionState to use.
- *
- * @return true on success, false on failure.
- */
- var count = 0;
- function decrypt_aes_cbc_sha1(record, s) {
- var rval = false;
- ++count;
- var iv;
- if(record.version.minor === tls.Versions.TLS_1_0.minor) {
- // use pre-generated IV when initializing for TLS 1.0, otherwise use the
- // residue from the previous decryption
- iv = s.cipherState.init ? null : s.cipherState.iv;
- } else {
- // TLS 1.1+ use an explicit IV every time to protect against CBC attacks
- // that is appended to the record fragment
- iv = record.fragment.getBytes(16);
- }
- s.cipherState.init = true;
- // start cipher
- var cipher = s.cipherState.cipher;
- cipher.start({iv: iv});
- // do decryption
- cipher.update(record.fragment);
- rval = cipher.finish(decrypt_aes_cbc_sha1_padding);
- // even if decryption fails, keep going to minimize timing attacks
- // decrypted data:
- // first (len - 20) bytes = application data
- // last 20 bytes = MAC
- var macLen = s.macLength;
- // create a random MAC to check against should the mac length check fail
- // Note: do this regardless of the failure to keep timing consistent
- var mac = forge.random.getBytesSync(macLen);
- // get fragment and mac
- var len = cipher.output.length();
- if(len >= macLen) {
- record.fragment = cipher.output.getBytes(len - macLen);
- mac = cipher.output.getBytes(macLen);
- } else {
- // bad data, but get bytes anyway to try to keep timing consistent
- record.fragment = cipher.output.getBytes();
- }
- record.fragment = forge.util.createBuffer(record.fragment);
- record.length = record.fragment.length();
- // see if data integrity checks out, update sequence number
- var mac2 = s.macFunction(s.macKey, s.sequenceNumber, record);
- s.updateSequenceNumber();
- rval = compareMacs(s.macKey, mac, mac2) && rval;
- return rval;
- }
- /**
- * Safely compare two MACs. This function will compare two MACs in a way
- * that protects against timing attacks.
- *
- * TODO: Expose elsewhere as a utility API.
- *
- * See: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/
- *
- * @param key the MAC key to use.
- * @param mac1 as a binary-encoded string of bytes.
- * @param mac2 as a binary-encoded string of bytes.
- *
- * @return true if the MACs are the same, false if not.
- */
- function compareMacs(key, mac1, mac2) {
- var hmac = forge.hmac.create();
- hmac.start('SHA1', key);
- hmac.update(mac1);
- mac1 = hmac.digest().getBytes();
- hmac.start(null, null);
- hmac.update(mac2);
- mac2 = hmac.digest().getBytes();
- return mac1 === mac2;
- }
|